From owner-freebsd-arch  Fri Jun  8  0:41:18 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12])
	by hub.freebsd.org (Postfix) with ESMTP
	id ACE5337B401; Fri,  8 Jun 2001 00:41:15 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from mindspring.com (dialup-209.245.138.245.Dial1.SanJose1.Level3.net [209.245.138.245])
	by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA13884;
	Fri, 8 Jun 2001 00:41:12 -0700 (PDT)
Message-ID: <3B2081B5.579A9888@mindspring.com>
Date: Fri, 08 Jun 2001 00:41:41 -0700
From: Terry Lambert <tlambert2@mindspring.com>
Reply-To: tlambert2@mindspring.com
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: "Jacques A. Vidrine" <n@nectar.com>,
	Sheldon Hearn <sheldonh@starjuice.net>,
	Mark Murray <mark@grondar.za>, arch@FreeBSD.ORG
Subject: Re: PAM, S/Key and authentication schemes.
References: <Pine.NEB.3.96L.1010603093217.46871k-100000@fledge.watson.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Robert Watson wrote:

[ ... PAM API ... ]

> PAM is recognizably not perfect, but as Terry points out,
> creating the "perfect modular authentication, authorization,
> accounting, and credential-management API" is not a trivial
> task.  In general, I'd strongly oppose efforts to simply
> hack up a replacement unless they were seriously thought
> through, and experimented with over an extended period of
> time in extremely diverse environments.

My main fear was that they were going to go to PAM, and
since PAM is completely inadequate for anything Kerberos,
break Kerberous and similar systems completely and
irrevokably.

The point is that you can't just "go to PAM for everything"
and "simplify the world".

If they wanted to hack up a superset of PAM that could
embrace both PAM and Kerberos, I wouldn't object, but it
looks like Sun is ducking that issue for now, themselves,
and that it's probably a pretty hard target.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message